CVE-2026-11569 PUBLISHED

Quay: quay: stored xss via filedrop svg upload

Assigner: redhat
Reserved: 08.06.2026 Published: 08.06.2026 Updated: 08.06.2026

A flaw was found in Quay. The filedrop endpoint accepts any mime type without validation, allowing an authenticated user with repository write access to upload a malicious SVG file containing JavaScript. The file is stored and served inline through the CDN, enabling stored cross-site scripting when a victim visits the archive URL.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSS Score: 5.4

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Red Hat
Product	Red Hat Quay 3
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Quay 3
Versions	Default: affected

Credits

This issue was discovered by Toni Gornals (Red Hat Product Security).

References

Problem Types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE